Blink: Intent to Implement and Ship: 'unsafe-hashed-attributes' in CSP3https://groups.google.com/a/chromium.org/d/msg/blink-dev/bUAhkdsrmqE/nimnFDG3BAAJ …
-
-
It also enables new CSRF-like XSS attacks. Developers will use it because its easier than rewriting. Not sure if this is a good idea.
-
Do pages whitelist handlers on a per-page basis or do you think there will be one policy containing all handlers of an app?
-
Also is the attribute name part of the hash?
-
It's likely going to be a per-page policy generated automatically by middleware for static HTML, allowing only scripts from the current doc.
-
One of the proposals was to include event handler names, but this seems more complicated for little benefit so I'd prefer to avoid it.
-
It would disable a lot of the code-reuse attack vectors.
-
For common EHs like onclick, onload, onmouse* this seems tough b/c the attacker controls the DOM and can dupe the user into causing events.
-
Yes, but it prevents the attacker from reusing an onclick handler in an onload handler.
- 9 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.